By: Jean Chorazyczewski, InCommon Academy Director
Estimated reading time: 7 minutes
IAM SPEAKER SPOTLIGHT SUMMARY: Explore strategies for enhancing IAM security while maintaining user convenience in higher education. Join experts as they discuss the challenges posed by social engineering attacks and share insights on balancing robust security measures with seamless access for students, faculty, and staff.
Understanding the IAM Challenge in Higher Education
Higher education institutions face an ever-growing challenge: how to keep their systems secure without making life difficult for their users. Social engineering attacks like phishing, identity fraud, and fraudulent password reset requests are becoming more sophisticated and frequent.
According to EDUCAUSE in May 2024, education is the top target for hackers globally, with nearly 2,300 attacks per week. Universities, with their open networks and vast numbers of students, faculty, and staff, are prime targets.
These attacks interfere with Identity and Access Management (IAM) processes, leading to security breaches, compromised accounts, and data loss.
High Expectations for Seamless Access
So, what’s the issue? Today’s users — whether students, faculty, or staff — expect quick, intuitive, and frictionless access, similar to what they experience with platforms like social media, online banking, and e-commerce.
In a higher education environment, where users may log in multiple times a day to access various systems — email, course management, research databases, or collaboration tools — the process needs to be fast and straightforward.
The Risk of Intrusive Security Measures
If security measures become too intrusive, users might resort to workarounds, like saving passwords in unsecured places or bypassing multi-factor authentication. This undermines IAM’s security goals.
Balancing security and usability is not just about convenience; it is essential for ensuring that security protocols are effective and followed.
Join the Webinar
To address these challenges, our upcoming webinar on Wednesday, Nov. 20, at 1:00 p.m. ET, ‘IAM in Higher Ed: Balancing Security and Ease of Use,’ will bring together experts to explore strategies for strengthening security without compromising the user experience.
Join Matt Morton, assistant vice president and CISO at the University of Chicago, along with Eric Zematis, CISO, and Forest Crowley, security architect/IAM manager at Lehigh University, as they share insights and practical approaches for combating social engineering threats while keeping systems user-friendly.
Jeremy Rosenberg, assistant vice president for IT and chief information security officer at Yale University, will moderate the webinar.
Q&A Highlights: Tackling IAM Challenges in Higher Education
Ahead of the Nov. 20 webinar, we spoke with Morton, Zematis, and Crowley to gather key insights about IAM challenges they have faced. Here are the highlights from our conversation.
Eric Zematis and Forest Crowley (Lehigh University):
Higher education institutions struggle to balance IAM security and convenience due to their
diverse community base with varying needs and the ‘open’ culture. This is further complicated by
adversaries identifying education as a soft target and stringent compliance
requirements.
Matt Morton (University of Chicago): Identity is at
the core of most attacks today and it also has the most impact on users when steps are taken to
secure accounts or change processes. As a result, it’s important to balance these items
carefully with the risks that are being mitigated.
Eric Zematis and Forest Crowley (Lehigh University):
We continue to see a significant volume of email-based phishing attacks. In addition, we are
seeing more phone/SMS impersonation attacks. This has been a challenge for our Help Desk, which
now needs to initiate Zoom calls for ID verification.
Matt Morton (University
of Chicago): We are seeing an increase in attacks at the service desk where the
threat actors are attempting to reset credentials like passwords and Duo phone numbers by
calling in. We require a visual recertification via Zoom, but it is putting a significant
workload on the desk that was not planned for.
Eric Zematis and Forest Crowley (Lehigh University):
A key challenge to strengthening identity security is user friction. User authentication occurs
so frequently that small changes can often be a major obstacle.
Another challenge is
securing limited resources (money and personnel) to properly implement and maintain IAM systems,
which are often complex and require continuous attention.
Matt Morton
(University of Chicago): Many faculty and researchers engage in
extensive international collaborations, which broadens the attack surface for both their
accounts and those of their collaborators. Securing by geolocation alone is insufficient. It’s
essential that the support desk is trained to recognize international identifiers and can work
without bias or assumptions when verifying this group.
Eric Zematis and Forest Crowley (Lehigh University):
When implementing new security measures, like multi-factor authentication (MFA,) clearly
explaining the ‘why’ behind the change can significantly reduce resistance and improve overall
security posture. People are more likely to embrace security measures when they understand their
importance and how they benefit, rather than feeling like they’re just pointless hurdles to
overcome.
Matt Morton (University of Chicago): One key lesson I’ve
learned in navigating the balance between security and usability in IAM is that user experience
is critical to security adoption. Striking the right balance requires simplifying the user
journey wherever possible — especially in tasks like authentication and access requests — while
implementing robust security controls.
For example, adopting technologies like
single sign-on (SSO) and adaptive MFA can improve both security and usability by reducing
friction for users in low-risk scenarios while tightening controls in higher-risk
contexts.
Ultimately, aligning security requirements with user convenience enhances
compliance and reduces the likelihood of security workarounds or “shadow IT.”
Eric Zematis and Forest Crowley (Lehigh University):
Attendees should leave recognizing that IAM is not a ‘set it and forget it’ task, but
requires continuous monitoring and adaptation to emerging threats like social engineering. They
should be prepared to proactively update policies, educate users, and evolve their security
measures to stay ahead of these ever-changing threats.
Matt Morton
(University of Chicago): I hope attendees leave this webinar with a clear
understanding of how critical it is to strike the right balance between robust security controls
and user experience in IAM. I want them to take away practical strategies for enhancing IAM
practices, such as implementing adaptive MFA, enforcing least privilege access, and improving
identity governance.
Additionally, I hope they recognize the importance of ongoing
user education and integrating IAM with other security tools like threat detection systems to
protect against emerging threats.
Overall, I think the goal is for attendees to feel
empowered to strengthen their IAM frameworks in a way that not only improves security but also
supports operational efficiency and user adoption.
Join Us for IAM Online
Whether you’re an IT leader, a security professional, or part of a help desk team, you’ll gain insights into how to navigate these evolving threats while keeping user experiences smooth. Our speakers will share their firsthand experiences with these attacks, discussing what’s happening at their institutions, the strategies they’re implementing, and practical tips to consider — even if there’s no one-size-fits-all solution.
Please join us online for “IAM in Higher Ed: Balancing Security and Ease of Use” on Wednesday, Nov. 20, 2024, at 1:00 p.m. ET.
Please Note: We’ve introduced a new, improved registration process for our webinars. You’ll now register individually for each webinar, which allows us to deliver content that’s even more aligned with what you want to see. Get ready for more engaging, community-driven webinars designed with you in mind!
Do you have ideas for IAM Webinars you would like to attend? Fill out this form and let us know what you’d like to see.